Firefox security hole was "just a joke"

[em_te]

http://developer.mozilla.org/devnews/index...ted-at-toorcon/

We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven?t used it to take over anyone else?s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Even though Mischa hasn?t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.

-Window Snyder

[xpgeek]

What a (nasty name to call a person) this guy is.

[zeroday]

The allegedly critical hole reported yesterday in Firefox's JavaScript implementation has turned out, not surprisingly, to be a hoax. Mischa Spiegelmock, who made the claim at the Toorcon hacker conference, told Mozilla's security chief Window Snyder, "The main purpose of our talk was to be humorous."

While it is possible to create a stack overflow, the only result he has been able to produce is a browser crash. Neither he, nor anyone else, has managed to execute code via this hole. Spiegelmock claims to know nothing about the other 30 holes reported in the media. The Mozilla team nevertheless plans to look into the matter in order to detect and remedy any flaws.

Source

Moz Dev Centre Entry:

We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.

-Window Snyder

Moz Dev Entry

[hagjohn]

Funny... ha ha!!!! I hope they do not invite him back to ever speak again.

[Randolph]

Funny... ha ha!!!! I hope they do not invite him back to ever speak again.

LOL now that is funny. :rofl:

[Meraklis56]

lol...let me ask.Did they pay him to say that he was laying?

[zeroday]

heh..so thats what happened to my thread lol.

[Fred Derf Veteran]

heh..so thats what happened to my thread lol.

Oops. Sorry.

[Threads Merged]

[Master Shake]

I love Firefox.

[Badtz-Maru]

Three of my major news sources, Slashdot, Ars, and bit-tech had reported this flaw, and now its fake? lol

[Pink Floyd Veteran]

ppl have too much time to waste :no:

[Futurix]

Funny that people from Mozilla.org managed to reproduce crash :whistle:

[halcyoncmdr]

As it said:

While it is possible to create a stack overflow, the only result he has been able to produce is a browser crash. Neither he, nor anyone else, has managed to execute code via this hole.

So while they can reproduce the crash is beside the point, no code is able to be executed through this hole, yet :shiftyninja:

[someware]

hmmm, whether or not there was a hole I don't think it really matters

It's just quite funny the effect the media has, not even the media, the internet!, the spread of word by individuals posting the same content from one forum to another. The untruthful content ends up on hundreds of sites... millions of people read it and believe it to be gospel.

There are probably thousands of people walking around today thinking their Firefox is insecure lol! :)

Then again only geeks use firefox and tbh the sensible people out there will be running virus scanners and firewalls.

When I saw the announcement of the '30 exploits' I thought ah well, they'll prolly fix it soon enough who cares :)

[burnsflipper]

Then again only geeks use firefox and tbh the sensible people out there will be running virus scanners and firewalls.

I use Firefox, and I'm a designer, not a geek :whistle:

[Favorable7404]

Demote them to script kiddie, like we did to Pluto!

[crimsonhead]

I have a bomb attached to my chest! And there's more where that came from!

Note: I do not have a bomb, it was a joke (funny right). I only have a few sparklers which I have never managed to burn anybody with. (but they sure are pretty).

[Malisk]

Three of my major news sources, Slashdot, Ars, and bit-tech had reported this flaw, and now its fake? lol

Yes.

I've seen it before, and I think this is a kind of new problem with the fast travelling unverified news getting mirrored on news sites, major or not. Don't go believe e.g Slashdot has much of a quality control in place.

[someware]

I use Firefox, and I'm a designer, not a geek :whistle:

hehe, i'm a geek :)

[The_Decryptor Veteran]

Yes.

I've seen it before, and I think this is a kind of new problem with the fast travelling unverified news getting mirrored on news sites, major or not. Don't go believe e.g Slashdot has much of a quality control in place.

They reported the combined statement by Mozilla and these guys, Mozilla said it knew of the flaw they were talking about (the DoS one), and the "report" included what the guys said.

I would rather them report on it, than just ignore it (even if it turns out to be a non-issue)